exchangelib: Autodiscover failing with Office 365

Hello!

I seems to have catched a bug with the autodiscover HTTP redirect with an Office 365 environment. The autodiscover is trying to use the CNAME value of the dns record autodiscover-s.outlook.com which cause an error because the SSL certificate on microsoft sides only accepts *.outlook.com and not “outlook.ms-acdc.office.com”.

If in https://github.com/ecederstrand/exchangelib/blob/master/exchangelib/autodiscover.py#L443 I simply return directly the hostname received as a parameter, the autodiscover works fine.

DEBUG:exchangelib.autodiscover:Trying autodiscover on http://autodiscover.redacted.com/Autodiscover/Autodiscover.xml
DEBUG:exchangelib.transport:Getting autodiscover auth type for http://autodiscover.redacted.com/Autodiscover/Autodiscover.xml
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): autodiscover.redacted.com
DEBUG:urllib3.connectionpool:http://autodiscover.redacted.com:80 "HEAD /Autodiscover/Autodiscover.xml HTTP/1.1" 302 0
DEBUG:exchangelib.autodiscover:We were redirected to https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml
DEBUG:exchangelib.autodiscover:Attempting to get canonical name for autodiscover-s.outlook.com
DEBUG:exchangelib.autodiscover:autodiscover-s.outlook.com has canonical name outlook.ms-acdc.office.com
DEBUG:exchangelib.autodiscover:Canonical hostname is outlook.ms-acdc.office.com
DEBUG:exchangelib.autodiscover:Trying autodiscover on https://outlook.ms-acdc.office.com/Autodiscover/Autodiscover.xml
DEBUG:exchangelib.transport:Getting autodiscover auth type for https://outlook.ms-acdc.office.com/Autodiscover/Autodiscover.xml
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): outlook.ms-acdc.office.com
ERROR:urllib3.connection:Certificate did not match expected hostname: outlook.ms-acdc.office.com. Certificate: {'subject': ((('countryName', 'US'),), (('stateOrProvinceName', 'Washington'),), (('localityName', 'Redmond'),), (('organizationName', 'Microsoft Corporation'),), (('commonName', 'outlook.com'),)), 'issuer': ((('countryName', 'US'),), (('organizationName', 'DigiCert Inc'),), (('commonName', 'DigiCert Cloud Services CA-1'),)), 'version': 3, 'serialNumber': '0ECD90EC9E8A91E1DED5DE9E714F0FF4', 'notBefore': 'Sep 13 00:00:00 2017 GMT', 'notAfter': 'Sep 13 12:00:00 2018 GMT', 'subjectAltName': (('DNS', '*.clo.footprintdns.com'), ('DNS', '*.nrb.footprintdns.com'), ('DNS', '*.hotmail.com'), ('DNS', '*.internal.outlook.com'), ('DNS', '*.live.com'), ('DNS', '*.office.com'), ('DNS', '*.office365.com'), ('DNS', '*.outlook.com'), ('DNS', '*.outlook.office365.com'), ('DNS', 'attachment.outlook.live.net'), ('DNS', 'attachment.outlook.office.net'), ('DNS', 'attachment.outlook.officeppe.net'), ('DNS', 'ccs.login.microsoftonline.com'), ('DNS', 'ccs-sdf.login.microsoftonline.com'), ('DNS', 'hotmail.com'), ('DNS', 'mail.services.live.com'), ('DNS', 'office365.com'), ('DNS', 'outlook.com'), ('DNS', 'outlook.office.com'), ('DNS', 'substrate.office.com'), ('DNS', 'substrate-sdf.office.com')), 'OCSP': ('http://ocspx.digicert.com',), 'caIssuers': ('http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt',), 'crlDistributionPoints': ('http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl', 'http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl')}
DEBUG:exchangelib.autodiscover:Trying autodiscover on https://autodiscover.outlook.ms-acdc.office.com/Autodiscover/Autodiscover.xml
DEBUG:exchangelib.transport:Getting autodiscover auth type for https://autodiscover.outlook.ms-acdc.office.com/Autodiscover/Autodiscover.xml
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): autodiscover.outlook.ms-acdc.office.com
DEBUG:exchangelib.autodiscover:Trying autodiscover on http://autodiscover.outlook.ms-acdc.office.com/Autodiscover/Autodiscover.xml
DEBUG:exchangelib.transport:Getting autodiscover auth type for http://autodiscover.outlook.ms-acdc.office.com/Autodiscover/Autodiscover.xml
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): autodiscover.outlook.ms-acdc.office.com
DEBUG:exchangelib.autodiscover:Attempting to get canonical name for autodiscover.outlook.ms-acdc.office.com
DEBUG:exchangelib.autodiscover:Nonexistent domain autodiscover.outlook.ms-acdc.office.com
DEBUG:exchangelib.autodiscover:Attempting to get SRV record on autodiscover.outlook.ms-acdc.office.com
DEBUG:exchangelib.autodiscover:Attempting to get SRV record on _autodiscover._tcp.outlook.ms-acdc.office.com
DEBUG:exchangelib.autodiscover:Releasing_autodiscover_cache_lock

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 4
Comments: 16 (10 by maintainers)

Most upvoted comments

Ok, I can reproduce that here when auto discovering an Office365-hosted email address. What is really needed is a complete rewrite of the autodiscover code to more closely follow the autodiscover protocol. For now, try uncommenting this and the following 3 lines to avoid hitting and getting stuck on http://autodiscover.outlook.ms-acdc.office.com. Unfortunately, it may affect other sites that need this functionality.

https://github.com/ecederstrand/exchangelib/blob/e1fef7b6e4209443261ca1bd7c5bfc85f9822518/exchangelib/autodiscover.py#L291

ecederstrand on Jun 11, 2018

FWIW, the following link describes a somewhat different autodiscover algorithm that Office 2016 follows: https://support.microsoft.com/en-us/help/3211279/outlook-2016-implementation-of-autodiscover

We may want to follow that instead of the “classic” autodiscover algorithm, since it provides more detail on caching and follows a O365-first approach. It seems almost everyone is moving to O365 these days anyway. It will still work with on-premise Exchange, of course.

ecederstrand on Aug 29, 2018